feat: codex channel

[seefs001]

Summary by CodeRabbit

• New Features

  • Added Codex channel: OAuth sign-in flow, credential management (manual refresh + automated background refresh), streaming support, adaptor integration, new channel option and icon in UI.
  • New Codex OAuth modal in channel editor and Codex Usage modal (quota windows, raw payload export).
  • New API endpoints for Codex OAuth, credential refresh, and usage.

• Bug Fixes

  • Improved error detail surfaced in responses.
  • Relaxed upstream response size limit to allow larger responses.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds a new Codex channel (type 57 / APITypeCodex) with a relay adaptor, PKCE OAuth start/complete/refresh flows, Wham usage fetch with refresh-on-401 retry, periodic credential auto-refresh task, controller endpoints/routes, frontend OAuth and usage modals, and supporting DTO/relay adjustments.

Changes

Cohort / File(s)	Summary
Channel constants & mappings constant/api_type.go, constant/channel.go, common/api_type.go	Add APITypeCodex and ChannelTypeCodex (57); update base URL/name mappings; map ChannelTypeCodex → APITypeCodex.
Relay codex adaptor & defs relay/channel/codex/constants.go, relay/channel/codex/oauth_key.go, relay/channel/codex/adaptor.go, relay/common/relay_info.go, relay/relay_adaptor.go	New codex adaptor and ModelList/ChannelName; OAuthKey parser; mark Codex stream-capable; register adaptor in factory; adaptor implements header setup, Responses routing, and unsupported-endpoint responses.
OAuth service & token helpers service/codex_oauth.go, service/codex_wham_usage.go	PKCE flow creation, token exchange/refresh, JWT claim extraction helpers; FetchCodexWhamUsage helper to call Codex Wham usage endpoint.
Credential refresh & task service/codex_credential_refresh.go, service/codex_credential_refresh_task.go, main.go	RefreshCodexChannelCredential implementation and periodic auto-refresh task (master-only) with batching, per-channel timeouts, cache resets, and startup registration.
Controllers & routes controller/codex_oauth.go, controller/channel.go, controller/codex_usage.go, router/api-router.go	Add OAuth start/complete handlers (generic + channel-scoped), refresh handler, GetCodexChannelUsage with refresh-on-401 retry; wire routes.
Frontend UI & integration web/src/components/table/channels/modals/CodexOAuthModal.jsx, web/src/components/table/channels/modals/CodexUsageModal.jsx, web/src/components/table/channels/modals/EditChannelModal.jsx, web/src/hooks/channels/useChannelsData.jsx	Add Codex OAuth modal and Usage modal; EditChannelModal supports type 57 (JSON OAuth key, open modal, refresh action); hook fetches usage and opens modal.
Frontend constants & render web/src/constants/channel.constants.js, web/src/helpers/render.jsx	Add CHANNEL_OPTIONS entry for Codex and map Codex icon to OpenAI icon.
DTO / error handling dto/error.go	Add Detail field to GeneralErrorResponse and prefer it in ToMessage resolution.
Relay compatibility & responses relay/channel/openai/chat_via_responses.go, relay/compatible_handler.go	Remove 10MB read-limit for OpenAI responses; refactor pass-through/Responses selection into local flag and helper.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant FrontendModal as Frontend (OAuth Modal)
    participant ControllerOAuth as Controller (OAuth)
    participant ServiceOAuth as Service (OAuth)
    participant ExternalOAuth as External (Codex OAuth)
    participant DB as Database

    User->>FrontendModal: Click "Start OAuth"
    FrontendModal->>ControllerOAuth: POST /codex/oauth/start
    ControllerOAuth->>ServiceOAuth: CreateCodexOAuthAuthorizationFlow()
    ServiceOAuth->>ServiceOAuth: Generate state + PKCE, build authorize URL
    ServiceOAuth-->>ControllerOAuth: {authorize_url, state, verifier}
    ControllerOAuth-->>FrontendModal: Return authorize URL
    User->>ExternalOAuth: Authenticate & authorize (browser)
    ExternalOAuth-->>User: Redirect with code (callback URL)
    User->>FrontendModal: Paste callback URL
    FrontendModal->>ControllerOAuth: POST /codex/oauth/complete (code,state)
    ControllerOAuth->>ServiceOAuth: ExchangeCodexAuthorizationCode(code,verifier)
    ServiceOAuth->>ExternalOAuth: POST token endpoint
    ExternalOAuth-->>ServiceOAuth: {access_token, refresh_token, expires_in, id_token}
    ServiceOAuth->>ControllerOAuth: TokenResult (with JWT claims)
    ControllerOAuth->>DB: Persist channel credential (or return key)
    ControllerOAuth-->>FrontendModal: Success + stored key

Loading

sequenceDiagram
    participant User
    participant Frontend as Client UI
    participant ControllerUsage as Controller (Usage)
    participant ServiceUsage as Service (Wham)
    participant ServiceOAuth as Service (OAuth)
    participant CodexAPI as Codex Wham API
    participant DB as Database

    User->>Frontend: Open usage for channel
    Frontend->>ControllerUsage: GET /api/channel/:id/codex/usage
    ControllerUsage->>DB: Load channel & OAuth key
    ControllerUsage->>ServiceUsage: FetchCodexWhamUsage(access_token)
    ServiceUsage->>CodexAPI: GET /backend-api/wham/usage
    alt 200
        CodexAPI-->>ServiceUsage: 200 + usage
        ServiceUsage-->>ControllerUsage: return data
    else 401/403
        CodexAPI-->>ServiceUsage: 401/403
        ControllerUsage->>ServiceOAuth: RefreshCodexOAuthToken(refresh_token)
        ServiceOAuth->>CodexAPI: POST token endpoint
        CodexAPI-->>ServiceOAuth: new tokens
        ControllerUsage->>DB: Update stored OAuth key + cache
        ControllerUsage->>ServiceUsage: Retry FetchCodexWhamUsage(new_access_token)
        CodexAPI-->>ServiceUsage: 200 + usage
        ServiceUsage-->>ControllerUsage: return data
    end
    ControllerUsage-->>Frontend: {success, payload}
    Frontend->>User: Show Codex Usage modal

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Revert "feat: add Claude Code channel support with OAuth integration" #1481 — overlaps channel/API type mapping and adaptor registration changes.
• feat: add Claude Code channel support with OAuth integration #1445 — similar addition of an OAuth-backed provider channel and mapping edits.
• feat: 支持渠道级透传选项，支持设置渠道系统提示词 #1441 — related passthrough/SystemPrompt and relay handling changes used by this PR.

Suggested reviewers

• creamlike1024

Poem

🐇 I hopped a PKCE path at dawn,
keys and tokens tucked upon my lawn,
I nudged a modal, fetched the day,
refreshed credentials on the way,
Codex joined — hooray, hooray! 🌱

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 4.88% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'feat: codex channel' directly describes the main change - adding support for a new Codex channel type throughout the codebase. It is concise, clear, and aligns with the extensive changes across API types, constants, controllers, relay handlers, and UI components.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

🧹 Recent nitpick comments

service/openaicompat/chat_to_responses.go (1)

124-142: Consider extracting duplicated tool call parsing logic.

The same tool call parsing logic is repeated three times for assistant messages. This could be extracted into a helper function to reduce duplication and improve maintainability.

♻️ Proposed refactor to extract helper function

Add a helper function:

func appendAssistantToolCalls(inputItems []map[string]any, msg dto.Message) []map[string]any {
	if msg.Role != "assistant" {
		return inputItems
	}
	for _, tc := range msg.ParseToolCalls() {
		if strings.TrimSpace(tc.ID) == "" {
			continue
		}
		if tc.Type != "" && tc.Type != "function" {
			continue
		}
		name := strings.TrimSpace(tc.Function.Name)
		if name == "" {
			continue
		}
		inputItems = append(inputItems, map[string]any{
			"type":      "function_call",
			"call_id":   tc.ID,
			"name":      name,
			"arguments": tc.Function.Arguments,
		})
	}
	return inputItems
}

Then replace each duplicated block with:

-			if role == "assistant" {
-				for _, tc := range msg.ParseToolCalls() {
-					// ... 15 lines of duplicated logic
-				}
-			}
+			inputItems = appendAssistantToolCalls(inputItems, msg)

Also applies to: 151-169, 212-230

relay/channel/openai/chat_via_responses.go (1)

84-88: Consider consolidating tool call state into a struct.

Using five separate maps keyed by the same ID is harder to maintain and reason about. A struct would improve clarity.

♻️ Proposed refactor

+type toolCallState struct {
+	index    int
+	name     string
+	args     string
+	nameSent bool
+}
+
-	toolCallIndexByID := make(map[string]int)
-	toolCallNameByID := make(map[string]string)
-	toolCallArgsByID := make(map[string]string)
-	toolCallNameSent := make(map[string]bool)
-	toolCallCanonicalIDByItemID := make(map[string]string)
+	toolCallStates := make(map[string]*toolCallState)
+	toolCallCanonicalIDByItemID := make(map[string]string)

Then access state via toolCallStates[callID].name, etc.

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6aa9c02 and ecb939d.

📒 Files selected for processing (3)

• dto/openai_response.go
• relay/channel/openai/chat_via_responses.go
• service/openaicompat/chat_to_responses.go

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-08-21T06:31:11.073Z

Learnt from: jiajunly
Repo: QuantumNous/new-api PR: 1629
File: relay/channel/openai/relay-openai.go:170-174
Timestamp: 2025-08-21T06:31:11.073Z
Learning: In relay/channel/openai/relay-openai.go, the streaming logic for the AddThinkFirst feature is designed so that only the first chunk of a stream gets the "<think>\n" prefix. The final flush in the streaming handler intentionally uses addThink=false because the last chunk should never receive the prefix, even in single-chunk streams where the prefix would have been applied during normal processing.

Applied to files:

• relay/channel/openai/chat_via_responses.go

📚 Learning: 2025-06-21T03:37:41.726Z

Learnt from: 9Ninety
Repo: QuantumNous/new-api PR: 1273
File: relay/channel/gemini/relay-gemini.go:97-116
Timestamp: 2025-06-21T03:37:41.726Z
Learning: In relay/channel/gemini/relay-gemini.go, the thinking budget calculation logic (including the MaxOutputTokens multiplication) was introduced in PR `#1247`. PR `#1273` focused specifically on decoupling the thoughts summary feature from thinking budget settings and did not modify the existing thinking budget behavior.

Applied to files:

• relay/channel/openai/chat_via_responses.go

🧬 Code graph analysis (1)

service/openaicompat/chat_to_responses.go (1)

common/json.go (1)

• Marshal (21-23)

🔇 Additional comments (6)

dto/openai_response.go (1)

375-378: LGTM!

The new OutputIndex and ItemID fields are correctly added to support function call argument streaming events. Using *int for OutputIndex ensures proper omitempty behavior (distinguishing between absent and zero), and the JSON tags follow the existing snake_case convention consistent with the OpenAI API.

service/openaicompat/chat_to_responses.go (1)

57-87: Tool/function message handling looks correct.

The logic properly handles tool and function roles by:

1. Extracting the tool call ID and output content
2. Falling back gracefully when content is nil, string, or complex
3. Emitting function_call_output items with proper structure

The fallback for missing call_id (lines 73-78) uses a user message with a special prefix, which is a reasonable degradation strategy to preserve context.

relay/channel/openai/chat_via_responses.go (4)

90-167: Helper functions for streaming are well-structured.

The sendStartIfNeeded and sendToolCallDelta helpers properly manage streaming state with:

• Idempotent start emission via sentStart flag
• Correct error propagation via streamErr
• Tool call index tracking for proper delta ordering
• Usage text accumulation for fallback token estimation

The prioritization at lines 106-108 (skipping tool call deltas when text content exists) aligns with the comment about matching non-stream behavior.

---

220-272: Function call event handling looks correct.

The handling of response.output_item.added/done and response.function_call_arguments.delta events properly:

• Maps item IDs to canonical call IDs for consistent tracking
• Computes argument deltas by comparing with previously accumulated args
• Falls back to full arguments if prefix doesn't match (line 248)

The empty case for response.function_call_arguments.done (lines 271-272) is appropriate since the done event is purely informational.

---

310-314: Finish reason logic correctly implements OpenAI API semantics.

The logic properly returns "tool_calls" when tool calls were emitted without text output, matching the OpenAI API behavior. The duplication between the in-stream (lines 310-313) and post-stream (lines 352-355) paths is acceptable given the short span.

Also applies to: 352-356

---

76-77: Dual builder approach for usage tracking is well-designed.

Using separate outputText (for finish reason determination) and usageText (for token estimation including tool call data) builders correctly handles the different semantics needed for each purpose.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 7

🤖 Fix all issues with AI agents

In @constant/channel.go:
- Line 120: Replace the incorrect Codex channel base URL string
"https://chatgpt.com" with the proper OpenAI API base
"https://api.openai.com/v1/" so the Codex channel uses the same API endpoint as
the OpenAI channel; locate the entry in the channel list containing
"https://chatgpt.com" (the Codex channel) in constant/channel.go and update that
string to "https://api.openai.com/v1/".

In @controller/channel.go:
- Around line 698-704: The direct DB update bypasses Channel.Update() which runs
important validations (MultiKeySize, status cleanup, UpdateAbilities); replace
the raw update with loading via GetChannelById() (already done), set ch.Key =
string(encoded) and call ch.Update(), check its error and only then call
model.InitChannelCache() and service.ResetProxyClientCache(); if you need
atomicity between DB change and cache refresh, wrap the update and subsequent
cache-refresh-triggering operations in a transaction or ensure you
rollback/cache-only on failure so DB and cache remain consistent.

In @controller/codex_oauth.go:
- Around line 206-216: Session keys are being deleted before the DB update,
which can leave the user unable to retry if
model.DB.Model(&model.Channel{}).Where("id = ?", channelID).Update("key",
string(encoded)).Error fails; move the session.Delete calls (and session.Save)
to after the DB update succeeds and model.InitChannelCache() completes so the
session is only cleared on success, keeping codexOAuthSessionKey(..., "state"),
codexOAuthSessionKey(..., "verifier"), and codexOAuthSessionKey(...,
"created_at") intact if the update returns an error.

In @relay/channel/codex/constants.go:
- Around line 1-9: The ModelList slice in constants.go contains an
invalid/undocumented entry "gpt-5.1-codex-max"; update the ModelList variable to
remove or correct that entry (replace "gpt-5.1-codex-max" with the verified
model name "gpt-5.1-codex-mini" or simply remove the max variant) so that
ModelList only contains valid Codex models (refer to the ModelList symbol and
the string literal "gpt-5.1-codex-max" to locate the change).

In @service/codex_oauth.go:
- Around line 107-116: The code decodes resp.Body into payload before checking
resp.StatusCode, which can misinterpret error responses as missing token fields;
change the logic in the Codex refresh flow to check resp.StatusCode immediately
after receiving resp and handle non-2xx by reading/decoding the error body (or
reading it as a string) and returning a clear error that includes status and
body, and only call json.NewDecoder(resp.Body).Decode(&payload) when
resp.StatusCode indicates success (200–299); update references to resp, payload,
json.NewDecoder.Decode, and the existing status check to implement this ordering
and improved error message.
- Around line 168-176: The code decodes resp.Body into payload before checking
resp.StatusCode; move the status check to occur immediately after receiving resp
(i.e., check resp.StatusCode <200 || >=300 first) and return a formatted error
(optionally including the response body for debugging) before calling
json.NewDecoder(resp.Body). Ensure the same pattern used in
refreshCodexOAuthToken is applied here: only decode into payload when the status
is 2xx and then validate payload.AccessToken/RefreshToken/ExpiresIn.

🧹 Nitpick comments (4)

relay/channel/codex/oauth_key.go (1)

21-29: Consider wrapping the original unmarshal error for debugging.

The original error from common.Unmarshal is discarded, which may make troubleshooting malformed JSON more difficult. Consider using fmt.Errorf to wrap the original error.

♻️ Suggested improvement

 func ParseOAuthKey(raw string) (*OAuthKey, error) {
 	if raw == "" {
 		return nil, errors.New("codex channel: empty oauth key")
 	}
 	var key OAuthKey
 	if err := common.Unmarshal([]byte(raw), &key); err != nil {
-		return nil, errors.New("codex channel: invalid oauth key json")
+		return nil, fmt.Errorf("codex channel: invalid oauth key json: %w", err)
 	}
 	return &key, nil
 }

Note: This would require adding "fmt" to the imports.

router/api-router.go (1)

159-163: LGTM!

The Codex OAuth endpoints are well-organized under the channel route with appropriate AdminAuth protection. The separation between general and channel-specific OAuth flows provides flexibility for both new channel creation and existing channel credential updates.

Consider adding middleware.CriticalRateLimit() to the OAuth endpoints to prevent potential abuse, similar to other sensitive operations in this router (e.g., Lines 30-31, 53-54). OAuth token exchanges involve external API calls that could be exploited for amplification attacks.

♻️ Optional: Add rate limiting to OAuth endpoints

-			channelRoute.POST("/codex/oauth/start", controller.StartCodexOAuth)
-			channelRoute.POST("/codex/oauth/complete", controller.CompleteCodexOAuth)
-			channelRoute.POST("/:id/codex/oauth/start", controller.StartCodexOAuthForChannel)
-			channelRoute.POST("/:id/codex/oauth/complete", controller.CompleteCodexOAuthForChannel)
-			channelRoute.POST("/:id/codex/refresh", controller.RefreshCodexChannelCredential)
+			channelRoute.POST("/codex/oauth/start", middleware.CriticalRateLimit(), controller.StartCodexOAuth)
+			channelRoute.POST("/codex/oauth/complete", middleware.CriticalRateLimit(), controller.CompleteCodexOAuth)
+			channelRoute.POST("/:id/codex/oauth/start", middleware.CriticalRateLimit(), controller.StartCodexOAuthForChannel)
+			channelRoute.POST("/:id/codex/oauth/complete", middleware.CriticalRateLimit(), controller.CompleteCodexOAuthForChannel)
+			channelRoute.POST("/:id/codex/refresh", middleware.CriticalRateLimit(), controller.RefreshCodexChannelCredential)

web/src/components/table/channels/modals/CodexOAuthModal.jsx (1)

123-129: Missing feedback for copy action.

The copy button click handler doesn't provide user feedback on success/failure. The copy utility returns a Promise indicating success.

💡 Suggested improvement

         <Button
           theme='outline'
           disabled={!authorizeUrl || loading}
-          onClick={() => copy(authorizeUrl)}
+          onClick={async () => {
+            const ok = await copy(authorizeUrl);
+            if (ok) {
+              showSuccess(t('已复制'));
+            } else {
+              showError(t('复制失败'));
+            }
+          }}
         >
           {t('复制授权链接')}
         </Button>

controller/codex_oauth.go (1)

98-102: Consider handling session save errors.

The session save error is silently ignored. While session save failures are often non-critical, logging the error would help with debugging issues in production.

💡 Suggested improvement

 session.Set(codexOAuthSessionKey(channelID, "state"), flow.State)
 session.Set(codexOAuthSessionKey(channelID, "verifier"), flow.Verifier)
 session.Set(codexOAuthSessionKey(channelID, "created_at"), time.Now().Unix())
-_ = session.Save()
+if err := session.Save(); err != nil {
+    common.SysLog(fmt.Sprintf("failed to save codex oauth session: %v", err))
+}

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6169f46 and 30de86f.

📒 Files selected for processing (16)

• common/api_type.go
• constant/api_type.go
• constant/channel.go
• controller/channel.go
• controller/codex_oauth.go
• relay/channel/codex/adaptor.go
• relay/channel/codex/constants.go
• relay/channel/codex/oauth_key.go
• relay/common/relay_info.go
• relay/relay_adaptor.go
• router/api-router.go
• service/codex_oauth.go
• web/src/components/table/channels/modals/CodexOAuthModal.jsx
• web/src/components/table/channels/modals/EditChannelModal.jsx
• web/src/constants/channel.constants.js
• web/src/helpers/render.jsx

🧰 Additional context used

🧠 Learnings (4)

📚 Learning: 2025-08-21T06:31:11.073Z

Learnt from: jiajunly
Repo: QuantumNous/new-api PR: 1629
File: relay/channel/openai/relay-openai.go:170-174
Timestamp: 2025-08-21T06:31:11.073Z
Learning: In relay/channel/openai/relay-openai.go, the streaming logic for the AddThinkFirst feature is designed so that only the first chunk of a stream gets the "<think>\n" prefix. The final flush in the streaming handler intentionally uses addThink=false because the last chunk should never receive the prefix, even in single-chunk streams where the prefix would have been applied during normal processing.

Applied to files:

• relay/common/relay_info.go

📚 Learning: 2025-08-08T17:12:43.157Z

Learnt from: RedwindA
Repo: QuantumNous/new-api PR: 1537
File: relay/gemini_handler.go:330-342
Timestamp: 2025-08-08T17:12:43.157Z
Learning: In the new-api repository, the `GeminiEmbeddingHandler` function in `relay/gemini_handler.go` is designed specifically for native Gemini embedding requests and therefore does not require the `ConvertGeminiRequest` step that is used in the chat handler. The embedding requests are already in the native Gemini format and don't need conversion.

Applied to files:

• relay/channel/codex/adaptor.go

📚 Learning: 2025-08-27T02:15:25.448Z

Learnt from: AAEE86
Repo: QuantumNous/new-api PR: 1658
File: web/src/components/table/channels/modals/EditChannelModal.jsx:555-569
Timestamp: 2025-08-27T02:15:25.448Z
Learning: In EditChannelModal.jsx, the applyModelMapping function transforms the models list by replacing original model names (mapping values) with display names (mapping keys). The database stores this transformed list containing mapped keys. On channel load, data.models contains these mapped display names, making the initialization filter if (data.models.includes(key)) correct.

Applied to files:

• web/src/components/table/channels/modals/EditChannelModal.jsx

📚 Learning: 2025-08-27T02:15:25.448Z

Learnt from: AAEE86
Repo: QuantumNous/new-api PR: 1658
File: web/src/components/table/channels/modals/EditChannelModal.jsx:555-569
Timestamp: 2025-08-27T02:15:25.448Z
Learning: In EditChannelModal.jsx, the database stores mapped keys (display names) in the models field after applying model mapping transformations. When loading a channel, data.models contains the mapped keys, not the original model names. The filtering logic if (data.models.includes(key)) in the initialization is correct.

Applied to files:

• web/src/components/table/channels/modals/EditChannelModal.jsx

🧬 Code graph analysis (8)

relay/common/relay_info.go (1)

constant/channel.go (1)

• ChannelTypeCodex (57-57)

relay/channel/codex/oauth_key.go (1)

common/json.go (1)

• Unmarshal (9-11)

router/api-router.go (2)

controller/codex_oauth.go (4)

• StartCodexOAuth (62-64)
• CompleteCodexOAuth (113-115)
• StartCodexOAuthForChannel (66-73)
• CompleteCodexOAuthForChannel (117-124)

controller/channel.go (1)

• RefreshCodexChannelCredential (633-719)

web/src/components/table/channels/modals/CodexOAuthModal.jsx (2)

web/src/helpers/utils.jsx (3)

• showSuccess (157-159)
• showError (122-151)
• copy (72-95)

web/src/helpers/render.jsx (1)

• value (1011-1011)

relay/relay_adaptor.go (3)

constant/api_type.go (1)

• APITypeCodex (38-38)

relay/channel/codex/adaptor.go (1)

• Adaptor (20-21)

relay/channel/adapter.go (1)

• Adaptor (15-32)

common/api_type.go (2)

constant/channel.go (1)

• ChannelTypeCodex (57-57)

constant/api_type.go (1)

• APITypeCodex (38-38)

relay/channel/codex/adaptor.go (5)

relay/common/relay_info.go (1)

• RelayInfo (82-131)

common/json.go (2)

• Marshal (21-23)
• Unmarshal (9-11)

relay/constant/relay_mode.go (1)

• RelayModeResponses (48-48)

relay/common/relay_utils.go (1)

• GetFullRequestURL (25-37)

relay/channel/codex/oauth_key.go (1)

• ParseOAuthKey (21-30)

web/src/components/table/channels/modals/EditChannelModal.jsx (2)

web/src/helpers/utils.jsx (4)

• showSuccess (157-159)
• showError (122-151)
• verifyJSON (273-280)
• verifyJSON (273-280)

web/src/components/table/channels/modals/CodexOAuthModal.jsx (1)

• CodexOAuthModal (27-145)

🔇 Additional comments (34)

constant/api_type.go (1)

38-38: LGTM!

The new APITypeCodex constant is correctly placed before the sentinel APITypeDummy, preserving existing iota values.

relay/channel/codex/oauth_key.go (1)

9-19: LGTM!

The OAuthKey struct is well-designed with appropriate JSON tags and optional fields using omitempty. The field selection covers the necessary OAuth token lifecycle data.

controller/channel.go (3)

4-19: LGTM!

The new imports for context, time, and the codex package are correctly added to support the new Codex OAuth functionality.

---

610-628: LGTM!

The Codex OAuth key validation correctly enforces the JSON object format and ensures required fields (access_token and account_id) are present. The conditional logic appropriately handles both add and update scenarios.

---

633-671: LGTM!

The RefreshCodexChannelCredential handler follows a solid pattern:

• Proper input validation for channel ID and type
• Parses existing OAuth key and validates refresh_token presence
• Appropriate 10-second timeout for external OAuth call
• Clear error responses for each failure case

service/codex_oauth.go (4)

17-25: Hardcoded OAuth client credentials and localhost redirect URI.

The OAuth client ID and redirect URI are hardcoded. The localhost:1455 redirect URI suggests this is designed for CLI/local flows. Verify this is the intended design and ensure these values don't need to be configurable for different deployment environments.

---

215-224: LGTM!

The PKCE implementation correctly follows RFC 7636:

• 32 bytes of cryptographically random data for the verifier
• Base64 URL encoding without padding (RawURLEncoding)
• SHA-256 hash for the S256 challenge method

---

274-288: JWT claims extraction without signature verification.

The decodeJWTClaims function extracts claims without verifying the JWT signature. This is acceptable here since the token originates from the trusted Codex OAuth server and is used only for extracting metadata (account ID, email) for display purposes, not for authentication decisions.

---

40-69: LGTM!

The public API surface is well-designed with clear separation between the public functions and internal implementation details. The CreateCodexOAuthAuthorizationFlow function properly encapsulates PKCE state generation.

web/src/helpers/render.jsx (1)

302-305: LGTM!

Adding Codex (case 57) to share the OpenAI icon with cases 1 and 3 is appropriate, as Codex is an OpenAI-based service.

common/api_type.go (1)

76-77: LGTM!

The mapping from ChannelTypeCodex to APITypeCodex follows the established pattern and correctly extends the channel-to-API type translation.

constant/channel.go (2)

57-57: LGTM!

ChannelTypeCodex is correctly assigned value 57 and placed before the ChannelTypeDummy sentinel.

---

177-177: LGTM!

The ChannelTypeNames mapping entry correctly associates ChannelTypeCodex with the display name "Codex".

web/src/constants/channel.constants.js (1)

187-191: LGTM!

The new Codex channel option is correctly added with value 57, consistent with the backend ChannelTypeCodex constant. The entry follows the existing pattern and styling conventions.

relay/relay_adaptor.go (2)

14-14: LGTM!

The import is correctly placed in alphabetical order.

---

121-122: LGTM!

The Codex adaptor case follows the established pattern. All 15 methods of the channel.Adaptor interface are properly implemented in codex.Adaptor.

relay/common/relay_info.go (1)

277-277: LGTM!

Adding Codex to streamSupportedChannels is appropriate since Codex uses OpenAI-compatible APIs that support streaming.

web/src/components/table/channels/modals/CodexOAuthModal.jsx (3)

33-52: LGTM!

The startOAuth function correctly manages loading state, validates the response structure, opens the authorization URL in a new tab with security attributes (noopener,noreferrer), and provides appropriate user feedback.

---

54-84: LGTM!

The completeOAuth function has proper input validation, loading state management, error handling, and correctly invokes callbacks in the right order (onSuccess before onCancel to close the modal).

---

86-90: LGTM!

The useEffect correctly resets component state when the modal becomes visible, ensuring a clean slate for each OAuth flow attempt.

controller/codex_oauth.go (3)

163-173: LGTM - Proper CSRF protection with state validation.

The state validation correctly prevents CSRF attacks by comparing the returned state with the expected state stored in the session. The check for empty verifier/state also handles session expiration gracefully.

---

175-182: LGTM - Appropriate timeout for token exchange.

The 15-second context timeout is reasonable for the OAuth token exchange operation, preventing indefinite hangs on external service calls.

---

31-60: LGTM - Flexible input parsing.

The parseCodexAuthorizationInput function handles multiple input formats gracefully: full URL with query params, code#state format, and plain code. This provides good UX flexibility.

web/src/components/table/channels/modals/EditChannelModal.jsx (7)

218-220: LGTM!

State variables for Codex OAuth modal visibility and credential refresh loading are properly initialized.

---

843-846: LGTM!

The handler correctly updates the key field and then formats it as JSON. The order is important since formatJsonField reads from inputs state.

---

1117-1156: LGTM - Thorough validation for Codex OAuth credentials.

The validation properly:

1. Prevents batch creation for Codex channels
2. Requires key for new channels
3. Validates JSON structure
4. Ensures required fields (access_token, account_id) are present
5. Re-serializes to normalize the JSON

---

508-519: LGTM - Proper state reset when switching to Codex channel type.

When the channel type changes to 57 (Codex), the code correctly resets batch mode and vertex-related state since Codex uses a different credential model.

---

1972-2047: LGTM - Well-structured UI for Codex OAuth flow.

The UI properly:

• Shows appropriate placeholder with JSON example
• Provides OAuth authorization button
• Shows refresh credential button in edit mode with loading state
• Includes format helper and key viewing options
• Respects isIonetLocked disabled state

---

1489-1489: LGTM!

Correctly excludes type 57 (Codex) from batch creation since Codex channels require OAuth credentials that cannot be batch-created.

---

848-867: No action needed — the refresh endpoint is properly defined and wired.

The endpoint /api/channel/:id/codex/refresh exists in router/api-router.go (line 163) and is correctly routed to controller.RefreshCodexChannelCredential. The frontend code calling this endpoint is correct.

Likely an incorrect or invalid review comment.

relay/channel/codex/adaptor.go (4)

54-91: LGTM - System prompt injection logic is correct.

The logic properly handles three cases:

1. No existing instructions → set system prompt
2. Existing instructions with override flag → prepend system prompt
3. Existing instructions without override → keep existing

The error handling for marshal/unmarshal operations is thorough.

---

97-106: LGTM - Appropriate mode restriction.

The adaptor correctly restricts to RelayModeResponses only, which aligns with Codex's API design. The delegation to OpenAI handlers for stream/non-stream responses is appropriate since Codex uses OpenAI-compatible response formats.

---

123-157: LGTM - Robust header setup with validation.

The method properly:

1. Validates the key is a JSON object
2. Parses OAuth credentials using ParseOAuthKey
3. Validates required fields (access_token, account_id)
4. Sets appropriate headers (Authorization, chatgpt-account-id)
5. Applies sensible defaults for OpenAI-Beta and originator headers

---

23-52: LGTM - Clear unsupported endpoint handling.

The stub methods clearly communicate that these endpoints are not supported for the Codex channel, returning consistent error messages.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

OpenAI Codex API endpoint URL documentation

💡 Result:

Short answer: OpenAI’s Codex/docs live on OpenAI’s developer sites; Codex uses the standard OpenAI REST API base URL (https://api.openai.com/v1/) and Codex-specific guidance is in the Codex docs.

Where to read:

• Codex developer docs (features, CLI/IDE integration): developers.openai.com/codex. [1]
• Platform Codex overview & guidance: platform.openai.com/docs/codex. [2]
• General OpenAI API reference (base endpoint and REST endpoints like /v1/models, /v1/chat/completions, /v1/files): platform.openai.com/docs/api-reference (base URL: https://api.openai.com/v1/). [3]

References:
[1] developers.openai.com/codex.
[2] platform.openai.com/docs/codex.
[3] platform.openai.com/docs/api-reference/introduction.

---

🏁 Script executed:

# First, let's examine the constant/channel.go file to understand the context
head -n 150 constant/channel.go | tail -n 40

Repository: QuantumNous/new-api

Length of output: 1666

---

🏁 Script executed:

# Search for where this URL constant is used in the codebase
rg "chatgpt\.com" -B 2 -A 2

Repository: QuantumNous/new-api

Length of output: 318

---

🏁 Script executed:

# Search for the channel type constant that corresponds to position 57
rg "ChannelType" constant/channel.go | head -n 70 | tail -n 20

Repository: QuantumNous/new-api

Length of output: 876

---

Fix the Codex channel base URL to use the correct API endpoint.

The URL https://chatgpt.com at line 120 is the ChatGPT web interface, not an API endpoint. According to OpenAI's official documentation, the Codex API uses https://api.openai.com/v1/ as the base endpoint, matching the OpenAI channel at line 119. Requests to chatgpt.com will fail and cannot access the Codex API.

🤖 Prompt for AI Agents

In @constant/channel.go at line 120, Replace the incorrect Codex channel base
URL string "https://chatgpt.com" with the proper OpenAI API base
"https://api.openai.com/v1/" so the Codex channel uses the same API endpoint as
the OpenAI channel; locate the entry in the channel list containing
"https://chatgpt.com" (the Codex channel) in constant/channel.go and update that
string to "https://api.openai.com/v1/".

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for Channel.Update method
echo "=== Checking for Channel.Update method ==="
rg -n 'func.*\(.*\*?Channel.*\).*Update\(' --type go

echo "=== Checking for common.Marshal function ==="
rg -n 'func Marshal' --type go

echo "=== Get context around lines 698-704 in controller/channel.go ==="
sed -n '690,720p' controller/channel.go

echo "=== Check the RefreshCodexChannelCredential function signature and context ==="
sed -n '633,650p' controller/channel.go

Repository: QuantumNous/new-api

Length of output: 1610

---

🏁 Script executed:

#!/bin/bash
# Check the Channel.Update() method implementation
echo "=== Channel.Update() implementation ==="
sed -n '458,480p' model/channel.go

# Also check if there are any validation hooks in the Channel model
echo -e "\n=== Check Channel struct and its methods ==="
sed -n '1,100p' model/channel.go | head -50

Repository: QuantumNous/new-api

Length of output: 3186

---

🏁 Script executed:

#!/bin/bash
# Get the full Channel.Update() method implementation
echo "=== Full Channel.Update() method ==="
sed -n '458,550p' model/channel.go

Repository: QuantumNous/new-api

Length of output: 3075

---

🏁 Script executed:

#!/bin/bash
# Verify if Codex channel could be multi-key and what UpdateAbilities does
echo "=== Search for Codex channel type constant ==="
rg -n 'ChannelTypeCodex' --type go

echo "=== Search for UpdateAbilities method ==="
rg -n 'func.*UpdateAbilities' --type go

echo "=== Check if there are other direct DB updates that bypass Channel.Update ==="
rg -n 'Update.*key.*Where.*id' controller/channel.go --type go

Repository: QuantumNous/new-api

Length of output: 842

---

🏁 Script executed:

#!/bin/bash
# Verify the cache refresh operations
echo "=== Check InitChannelCache implementation ==="
rg -n 'func InitChannelCache' --type go -A 10

echo "=== Check ResetProxyClientCache implementation ==="
rg -n 'func ResetProxyClientCache' --type go -A 5

echo "=== Check UpdateAbilities signature ==="
sed -n '193,210p' model/ability.go

Repository: QuantumNous/new-api

Length of output: 1558

---

Use ch.Update() to ensure model-layer validations and consistency checks are applied.

The direct model.DB.Model(&model.Channel{}).Where("id = ?", ch.Id).Update("key", string(encoded)) call bypasses critical logic in Channel.Update(), including MultiKeySize recalculation for multi-key channels, status data cleanup, and the UpdateAbilities() call. Since ch is already loaded via GetChannelById(), use ch.Key = string(encoded); ch.Update() instead. Additionally, the direct update and cache refresh are separate operations without transactional wrapping—if either fails, the database state and cache could become inconsistent.

🤖 Prompt for AI Agents

In @controller/channel.go around lines 698 - 704, The direct DB update bypasses
Channel.Update() which runs important validations (MultiKeySize, status cleanup,
UpdateAbilities); replace the raw update with loading via GetChannelById()
(already done), set ch.Key = string(encoded) and call ch.Update(), check its
error and only then call model.InitChannelCache() and
service.ResetProxyClientCache(); if you need atomicity between DB change and
cache refresh, wrap the update and subsequent cache-refresh-triggering
operations in a transaction or ensure you rollback/cache-only on failure so DB
and cache remain consistent.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Session cleanup occurs before DB operation - potential state inconsistency.

If the DB update (line 212) fails, the session has already been cleared (lines 206-209), preventing the user from retrying without restarting the OAuth flow. Consider moving session cleanup after the DB operation succeeds.

🔧 Proposed fix

-session.Delete(codexOAuthSessionKey(channelID, "state"))
-session.Delete(codexOAuthSessionKey(channelID, "verifier"))
-session.Delete(codexOAuthSessionKey(channelID, "created_at"))
-_ = session.Save()
-
 if channelID > 0 {
     if err := model.DB.Model(&model.Channel{}).Where("id = ?", channelID).Update("key", string(encoded)).Error; err != nil {
         common.ApiError(c, err)
         return
     }
+    session.Delete(codexOAuthSessionKey(channelID, "state"))
+    session.Delete(codexOAuthSessionKey(channelID, "verifier"))
+    session.Delete(codexOAuthSessionKey(channelID, "created_at"))
+    _ = session.Save()
     model.InitChannelCache()
     service.ResetProxyClientCache()
     // ... rest of response
     return
 }

+session.Delete(codexOAuthSessionKey(channelID, "state"))
+session.Delete(codexOAuthSessionKey(channelID, "verifier"))
+session.Delete(codexOAuthSessionKey(channelID, "created_at"))
+_ = session.Save()
+
 c.JSON(http.StatusOK, gin.H{
     // ... response for non-channel case
 })

🤖 Prompt for AI Agents

In @controller/codex_oauth.go around lines 206 - 216, Session keys are being
deleted before the DB update, which can leave the user unable to retry if
model.DB.Model(&model.Channel{}).Where("id = ?", channelID).Update("key",
string(encoded)).Error fails; move the session.Delete calls (and session.Save)
to after the DB update succeeds and model.InitChannelCache() completes so the
session is only cleared on success, keeping codexOAuthSessionKey(..., "state"),
codexOAuthSessionKey(..., "verifier"), and codexOAuthSessionKey(...,
"created_at") intact if the update returns an error.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

OpenAI Codex API endpoint documentation

💡 Result:

Here are the official OpenAI documentation pages for Codex and related API/endpoint references:

• Codex overview (product & links to docs): OpenAI Codex page. [1]
• Codex on the OpenAI/Platform docs (Codex cloud & platform integration): platform docs. [2]
• Codex CLI reference (commands, flags, config). [3]
• Codex GitHub action (notes about Responses API endpoint usage / non-default endpoints, including Azure). [4]

If you want specific API endpoint names/hostnames (e.g., api.openai.com, mtls.api.openai.com, Azure endpoints) or a network configuration guide, tell me which environment (public OpenAI vs. Azure OpenAI vs. mTLS) and I’ll fetch exact endpoint details and ports.

Sources:
[1] https://openai.com/codex
[2] https://platform.openai.com/docs/codex
[3] https://developers.openai.com/codex/cli/reference
[4] https://github.com/openai/codex-action

---

🌐 Web query:

Codex API endpoint path "/v1/codex" OR "/backend-api/codex" OpenAI documentation

💡 Result:

Short answer: OpenAI's public Platform docs do not list a public API endpoint named "/v1/codex" or a documented official endpoint at "/backend-api/codex". The Codex product is exposed via the Codex CLI/SDK and the platform’s documented APIs (Responses/Chat/Completions as appropriate), while paths like "https://chatgpt.com/backend-api/codex/..." appear in implementation/CLI/github discussions as internal/web-backend endpoints used by the Codex CLI/web UI, not as published public API endpoints. [1][2][3][4]

Sources:

• OpenAI Codex product/docs pages (Codex product is provided via CLI/SDK and platform integrations). [1]
• OpenAI Platform deprecations/docs (shows Codex-related API transitions and platform docs). [2]
• openai/codex GitHub issues referencing requests to chatgpt.com/backend-api/codex/responses (shows backend usage, not public platform docs). [3][4]

---

🏁 Script executed:

cd relay/channel/codex && find . -type f -name "*.go" -o -name "*.md" | head -20

Repository: QuantumNous/new-api

Length of output: 105

---

🏁 Script executed:

rg "codex|/backend-api|responses" relay/channel/codex/ -A 2 -B 2

Repository: QuantumNous/new-api

Length of output: 5849

---

🏁 Script executed:

rg "codex" relay/ --type go -l | head -10

Repository: QuantumNous/new-api

Length of output: 182

---

Use documented OpenAI API endpoint for Codex integration.

The hardcoded path /backend-api/codex/responses is an internal backend endpoint not documented in OpenAI's official Platform API documentation. Using undocumented internal endpoints risks breaking when the backend changes. Verify this endpoint against OpenAI's official API documentation and use only published endpoints, or document why this internal endpoint is necessary and acceptable for your use case.

Additionally, the error message on line 118 states "only /v1/responses is supported" but the code actually calls /backend-api/codex/responses—reconcile this discrepancy.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

OpenAI Codex API models 2025 available

💡 Result:

As of 2025 (end of year), the main Codex-related API models/releases available from OpenAI were:

• codex-mini-latest (small/low-latency Codex model for CLI/Responses API). [1]
• gpt-5-codex (GPT‑5 variant optimized for Codex / Responses API rollout Sept 2025). [2]
• gpt-5.1-codex (GPT‑5.1 Codex variants added later in 2025, incl. gpt-5.1-codex and gpt-5.1-codex-mini). [3]

Sources: OpenAI Codex announcement and docs. [1] OpenAI — Introducing Codex. [2] OpenAI — Introducing upgrades to Codex (Sept 2025). [3] OpenAI Codex changelog.

---

🌐 Web query:

OpenAI GPT-5 models 2025 2026

💡 Result:

Here’s a concise timeline and summary of OpenAI’s GPT‑5 family (2025–early 2026), based on OpenAI sources:

• Announcement — GPT‑5 launched (Aug 7, 2025): introduced as a unified system (gpt‑5‑main, gpt‑5‑thinking, router, plus “pro”/thinking variants) and made default in ChatGPT. (openai.com)
• System details — model names/variants (main, main‑mini, thinking, thinking‑mini, thinking‑nano, thinking‑pro) and safety framing published in the GPT‑5 System Card. (openai.com)
• Safety/testing — GPT‑5 bio bug bounty and related safety efforts announced (September 2025) as OpenAI deployed GPT‑5 and invited researchers. (openai.com)
• Codex integration — GPT‑5‑Codex variant announced for coding/Codex surfaces (Sept 2025) and later added to the Responses API. (openai.com)
• Iterative upgrades — OpenAI released GPT‑5.1 (Nov 21, 2025) and GPT‑5.2 (Dec 11, 2025) as follow-up improvements (faster, better reasoning, updated knowledge cutoff for 5.2). (academy.openai.com)

If you want specific technical/API details (model IDs, pricing, rollout status for Free/Plus/Pro/Enterprise, or changelog entries) I can fetch and list those exact docs/lines. Which details do you need?

Citations:

• 1: https://openai.com/index/introducing-gpt-5?utm_source=openai
• 2: https://openai.com/blog/gpt-5-system-card/?utm_source=openai
• 3: https://openai.com/gpt-5-bio-bug-bounty?utm_source=openai
• 4: https://openai.com/index/introducing-upgrades-to-codex/?utm_source=openai
• 5: https://academy.openai.com/home/resources/intro-gpt-5-1?utm_source=openai

---

Remove or correct "gpt-5.1-codex-max" in the ModelList—it does not match available Codex API models.

The model list contains an unconfirmed variant. Web search confirms that OpenAI released gpt-5.1-codex and gpt-5.1-codex-mini as part of Codex integration in 2025, but no gpt-5.1-codex-max variant has been documented. The pattern suggests gpt-5.1-codex-mini rather than a "max" variant. Verify the correct model name against current OpenAI Codex API documentation and correct the entry accordingly.

Confirmed models from the list:

• gpt-5-codex ✓
• gpt-5.1-codex ✓
• gpt-5.1-codex-mini ✓
• gpt-5.2 ✓

🤖 Prompt for AI Agents

In @relay/channel/codex/constants.go around lines 1 - 9, The ModelList slice in
constants.go contains an invalid/undocumented entry "gpt-5.1-codex-max"; update
the ModelList variable to remove or correct that entry (replace
"gpt-5.1-codex-max" with the verified model name "gpt-5.1-codex-mini" or simply
remove the max variant) so that ModelList only contains valid Codex models
(refer to the ModelList symbol and the string literal "gpt-5.1-codex-max" to
locate the change).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Check HTTP status code before decoding the response body.

The current order decodes the JSON body first (line 107), then checks the status code (line 110). If the OAuth server returns an error response (e.g., 401), the body may contain error JSON rather than token data. This could cause misleading "missing fields" errors instead of proper HTTP error messages.

🐛 Proposed fix

 	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
 	}
 	defer resp.Body.Close()

+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		return nil, fmt.Errorf("codex oauth refresh failed: status=%d", resp.StatusCode)
+	}
+
 	var payload struct {
 		AccessToken  string `json:"access_token"`
 		RefreshToken string `json:"refresh_token"`
 		ExpiresIn    int    `json:"expires_in"`
 	}

 	if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
 		return nil, err
 	}
-	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		return nil, fmt.Errorf("codex oauth refresh failed: status=%d", resp.StatusCode)
-	}

 	if strings.TrimSpace(payload.AccessToken) == "" || strings.TrimSpace(payload.RefreshToken) == "" || payload.ExpiresIn <= 0 {
 		return nil, errors.New("codex oauth refresh response missing fields")
 	}

🤖 Prompt for AI Agents

In @service/codex_oauth.go around lines 107 - 116, The code decodes resp.Body
into payload before checking resp.StatusCode, which can misinterpret error
responses as missing token fields; change the logic in the Codex refresh flow to
check resp.StatusCode immediately after receiving resp and handle non-2xx by
reading/decoding the error body (or reading it as a string) and returning a
clear error that includes status and body, and only call
json.NewDecoder(resp.Body).Decode(&payload) when resp.StatusCode indicates
success (200–299); update references to resp, payload, json.NewDecoder.Decode,
and the existing status check to implement this ordering and improved error
message.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Same issue: Check HTTP status code before decoding.

This function has the same ordering problem as refreshCodexOAuthToken. The status code check (line 171) should occur before attempting to decode the response body (line 168).

🐛 Proposed fix

 	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
 	}
 	defer resp.Body.Close()

+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		return nil, fmt.Errorf("codex oauth code exchange failed: status=%d", resp.StatusCode)
+	}
+
 	var payload struct {
 		AccessToken  string `json:"access_token"`
 		RefreshToken string `json:"refresh_token"`
 		ExpiresIn    int    `json:"expires_in"`
 	}
 	if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
 		return nil, err
 	}
-	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		return nil, fmt.Errorf("codex oauth code exchange failed: status=%d", resp.StatusCode)
-	}

🤖 Prompt for AI Agents

In @service/codex_oauth.go around lines 168 - 176, The code decodes resp.Body
into payload before checking resp.StatusCode; move the status check to occur
immediately after receiving resp (i.e., check resp.StatusCode <200 || >=300
first) and return a formatted error (optionally including the response body for
debugging) before calling json.NewDecoder(resp.Body). Ensure the same pattern
used in refreshCodexOAuthToken is applied here: only decode into payload when
the status is 2xx and then validate payload.AccessToken/RefreshToken/ExpiresIn.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @controller/codex_usage.go:
- Around line 91-96: Silent error handling in the token persist block can hide
failures from common.Marshal and the DB update; check and handle encErr from
common.Marshal(oauthKey) and capture the error returned by
model.DB.Model(&model.Channel{}).Where("id = ?", ch.Id).Update("key",
string(encoded)).Error, logging both via the existing logger (or processLogger)
and returning or propagating an error so the caller knows persistence failed,
and ensure you don't suppress failures before calling model.InitChannelCache()
and service.ResetProxyClientCache().

🧹 Nitpick comments (4)

service/codex_wham_usage_test.go (1)

14-56: Good test coverage for the happy path and basic validation.

The test correctly verifies request construction, header values, and response handling using a clean mock transport pattern.

Consider adding tests for remaining validation branches (nil client, empty accessToken, empty accountID) and error scenarios (HTTP client failure, body read failure) to improve coverage.

controller/codex_usage.go (1)

77-105: Token refresh failure is not communicated to the user.

When service.RefreshCodexOAuthToken fails (line 81), the code proceeds to return the original 401/403 response without informing the user that a refresh was attempted and failed. This may make debugging difficult.

Consider logging the refresh error or including it in the response message when the upstream status indicates auth failure and refresh was attempted but unsuccessful.

web/src/components/table/channels/modals/CodexUsageModal.jsx (1)

161-168: Consider using instance-based modal closure.

Modal.destroyAll() will close all open modals, which could be disruptive if multiple modals are open simultaneously. If Semi UI supports instance-based closure (e.g., storing the return value of Modal.info() and calling .destroy() on it), that would be more precise.

web/src/hooks/channels/useChannelsData.jsx (1)

749-749: Consider using a named constant for Codex channel type.

The magic number 57 for Codex channel type reduces readability. Consider importing and using a constant (e.g., CHANNEL_TYPE_CODEX) from your constants file for better maintainability and consistency with how other channel types might be referenced.

+import { CHANNEL_TYPE_CODEX } from '../../constants';
 ...
-    if (record?.type === 57) {
+    if (record?.type === CHANNEL_TYPE_CODEX) {

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 30de86f and f6afa74.

📒 Files selected for processing (7)

• controller/codex_usage.go
• relay/channel/codex/constants.go
• router/api-router.go
• service/codex_wham_usage.go
• service/codex_wham_usage_test.go
• web/src/components/table/channels/modals/CodexUsageModal.jsx
• web/src/hooks/channels/useChannelsData.jsx

🚧 Files skipped from review as they are similar to previous changes (1)

• relay/channel/codex/constants.go

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-27T02:15:25.448Z

Learnt from: AAEE86
Repo: QuantumNous/new-api PR: 1658
File: web/src/components/table/channels/modals/EditChannelModal.jsx:555-569
Timestamp: 2025-08-27T02:15:25.448Z
Learning: In EditChannelModal.jsx, the database stores mapped keys (display names) in the models field after applying model mapping transformations. When loading a channel, data.models contains the mapped keys, not the original model names. The filtering logic if (data.models.includes(key)) in the initialization is correct.

Applied to files:

• web/src/hooks/channels/useChannelsData.jsx

🧬 Code graph analysis (3)

web/src/hooks/channels/useChannelsData.jsx (3)

web/src/helpers/api.js (6)

• res (224-224)
• res (225-225)
• res (301-301)
• res (302-302)
• API (29-37)
• API (29-37)

web/src/helpers/utils.jsx (2)

• showError (122-151)
• copy (72-95)

web/src/components/table/channels/modals/CodexUsageModal.jsx (2)

• openCodexUsageModal (92-169)
• openCodexUsageModal (92-169)

router/api-router.go (3)

controller/codex_oauth.go (4)

• StartCodexOAuth (62-64)
• CompleteCodexOAuth (113-115)
• StartCodexOAuthForChannel (66-73)
• CompleteCodexOAuthForChannel (117-124)

controller/channel.go (1)

• RefreshCodexChannelCredential (633-719)

controller/codex_usage.go (1)

• GetCodexChannelUsage (21-124)

service/codex_wham_usage_test.go (1)

service/codex_wham_usage.go (1)

• FetchCodexWhamUsage (11-56)

🔇 Additional comments (9)

service/codex_wham_usage.go (1)

1-56: LGTM! Well-structured HTTP client function with proper validation.

The implementation correctly validates inputs, handles URL normalization, and properly propagates context. Error handling is appropriate, returning the status code even when body reading fails.

Minor observation: The originator header check (lines 41-43) will always evaluate to true since the header is never set before this point on a newly created request. If this is intentional as a default value, consider simplifying to just req.Header.Set("originator", "codex_cli_rs") without the conditional, or add a comment clarifying the intent for future extensibility.

service/codex_wham_usage_test.go (1)

58-62: Clean mock transport implementation.

The roundTripperFunc type adapter is a well-established Go idiom for mocking http.RoundTripper.

controller/codex_usage.go (1)

21-124: Overall handler structure is sound.

The handler properly validates inputs, handles the Codex-specific OAuth flow with automatic token refresh, and returns a consistent response structure. The timeout management with multiple contexts is appropriate for the different operations.

router/api-router.go (1)

159-164: LGTM! Routes are properly organized under admin authentication.

The new Codex OAuth and usage endpoints follow the existing routing patterns and are correctly protected by AdminAuth middleware. The separation between channel-specific (/:id/...) and generic (/codex/oauth/...) endpoints aligns with the controller implementations.

web/src/components/table/channels/modals/CodexUsageModal.jsx (3)

25-58: Well-implemented utility functions with proper defensive checks.

The helper functions handle edge cases appropriately with Number.isFinite() checks and fallback values. The formatting logic is clear and user-friendly.

---

60-90: Clean, reusable RateLimitWindowCard component.

The component properly handles optional windowData with nullish coalescing and presents rate limit information clearly with color-coded progress indicators.

---

92-169: Overall modal implementation is solid.

The modal properly extracts and displays rate limit data with sensible defaults, provides raw JSON viewing with copy functionality, and has a clean responsive layout.

web/src/hooks/channels/useChannelsData.jsx (2)

749-771: Modal opens even after showing an error - is this intentional?

When res?.data?.success is false (line 754), an error is shown via showError() (line 755), but the modal still opens (line 757) with the failed response payload. This may confuse users who see both an error toast and a modal with error data.

If the intent is to let users inspect the raw error response, consider adding a clarifying comment. Otherwise, the modal opening should be conditional on success.

🔧 Suggested fix if modal should only open on success

       try {
         const res = await API.get(`/api/channel/${record.id}/codex/usage`, {
           skipErrorHandler: true,
         });
         if (!res?.data?.success) {
           showError(res?.data?.message || t('Failed to fetch usage'));
+          return;
         }
         openCodexUsageModal({

---

39-39: Import added correctly.

The new import aligns with the Codex usage modal feature addition.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Silent error handling may hide persistence failures.

If common.Marshal(oauthKey) fails or the DB update fails, the error is silently discarded. The user will see a successful response (if the retry works), but the refreshed tokens won't be persisted—causing the next request to fail again and trigger another refresh cycle.

🔧 Suggested improvement

 			encoded, encErr := common.Marshal(oauthKey)
-			if encErr == nil {
-				_ = model.DB.Model(&model.Channel{}).Where("id = ?", ch.Id).Update("key", string(encoded)).Error
+			if encErr != nil {
+				common.SysLog(fmt.Sprintf("failed to marshal oauth key for channel %d: %v", ch.Id, encErr))
+			} else if err := model.DB.Model(&model.Channel{}).Where("id = ?", ch.Id).Update("key", string(encoded)).Error; err != nil {
+				common.SysLog(fmt.Sprintf("failed to persist refreshed token for channel %d: %v", ch.Id, err))
+			} else {
 				model.InitChannelCache()
 				service.ResetProxyClientCache()
 			}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	encoded, encErr := common.Marshal(oauthKey)
	if encErr == nil {
	_ = model.DB.Model(&model.Channel{}).Where("id = ?", ch.Id).Update("key", string(encoded)).Error
	model.InitChannelCache()
	service.ResetProxyClientCache()
	}
	encoded, encErr := common.Marshal(oauthKey)
	if encErr != nil {
	common.SysLog(fmt.Sprintf("failed to marshal oauth key for channel %d: %v", ch.Id, encErr))
	} else if err := model.DB.Model(&model.Channel{}).Where("id = ?", ch.Id).Update("key", string(encoded)).Error; err != nil {
	common.SysLog(fmt.Sprintf("failed to persist refreshed token for channel %d: %v", ch.Id, err))
	} else {
	model.InitChannelCache()
	service.ResetProxyClientCache()
	}

🤖 Prompt for AI Agents

In @controller/codex_usage.go around lines 91 - 96, Silent error handling in the
token persist block can hide failures from common.Marshal and the DB update;
check and handle encErr from common.Marshal(oauthKey) and capture the error
returned by model.DB.Model(&model.Channel{}).Where("id = ?",
ch.Id).Update("key", string(encoded)).Error, logging both via the existing
logger (or processLogger) and returning or propagating an error so the caller
knows persistence failed, and ensure you don't suppress failures before calling
model.InitChannelCache() and service.ResetProxyClientCache().

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

web/src/components/table/channels/modals/CodexUsageModal.jsx (1)

161-168: Modal.destroyAll() closes all open modals — consider using a more targeted approach.

Using Modal.destroyAll() will close every open modal in the application, not just this Codex usage modal. If users have multiple modals open (e.g., an edit modal behind this one), they would all be unexpectedly closed.

♻️ Suggested fix using modal instance destroy

Semi UI Modal.info() returns a modal instance that can be destroyed specifically:

-  Modal.info({
+  const modal = Modal.info({
     title: (
       // ...
     ),
     // ...
     footer: (
       <div className='flex justify-end gap-2'>
-        <Button type='primary' theme='solid' onClick={() => Modal.destroyAll()}>
+        <Button type='primary' theme='solid' onClick={() => modal.destroy()}>
           {t('Close')}
         </Button>
       </div>
     ),
   });

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f6afa74 and 8442361.

📒 Files selected for processing (6)

• controller/codex_usage.go
• relay/channel/codex/constants.go
• router/api-router.go
• service/codex_wham_usage.go
• web/src/components/table/channels/modals/CodexUsageModal.jsx
• web/src/hooks/channels/useChannelsData.jsx

🚧 Files skipped from review as they are similar to previous changes (3)

• relay/channel/codex/constants.go
• router/api-router.go
• controller/codex_usage.go

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-27T02:15:25.448Z

Learnt from: AAEE86
Repo: QuantumNous/new-api PR: 1658
File: web/src/components/table/channels/modals/EditChannelModal.jsx:555-569
Timestamp: 2025-08-27T02:15:25.448Z
Learning: In EditChannelModal.jsx, the database stores mapped keys (display names) in the models field after applying model mapping transformations. When loading a channel, data.models contains the mapped keys, not the original model names. The filtering logic if (data.models.includes(key)) in the initialization is correct.

Applied to files:

• web/src/hooks/channels/useChannelsData.jsx

🧬 Code graph analysis (1)

web/src/hooks/channels/useChannelsData.jsx (3)

web/src/helpers/api.js (6)

• res (224-224)
• res (225-225)
• res (301-301)
• res (302-302)
• API (29-37)
• API (29-37)

web/src/helpers/utils.jsx (3)

• showError (122-151)
• copy (72-95)
• showSuccess (157-159)

web/src/components/table/channels/modals/CodexUsageModal.jsx (2)

• openCodexUsageModal (92-169)
• openCodexUsageModal (92-169)

🔇 Additional comments (5)

service/codex_wham_usage.go (1)

11-56: LGTM — solid input validation and request handling.

The function properly validates inputs, uses context for cancellation, and correctly defers body close before reading.

One minor observation: the check on lines 41-43 if req.Header.Get("originator") == "" is always true for a newly created request, so the conditional is unnecessary — you could simplify to just req.Header.Set("originator", "codex_cli_rs").

web/src/components/table/channels/modals/CodexUsageModal.jsx (2)

25-58: LGTM — well-designed helper utilities.

Good defensive handling of edge cases with Number.isFinite() checks and proper fallback values. The formatting functions are concise and handle invalid inputs gracefully.

---

60-90: LGTM — clean component with good defensive rendering.

The RateLimitWindowCard properly handles missing/undefined windowData with optional chaining and nullish coalescing defaults.

web/src/hooks/channels/useChannelsData.jsx (2)

39-39: LGTM — import added correctly.

---

749-771: Modal opens even after showing an error — verify this is intentional.

When res?.data?.success is falsy (line 754), showError() is called but the code still proceeds to open the modal (line 757). This means users see both an error toast and the modal with potentially incomplete/error data.

If intentional (e.g., to show raw error response for debugging), consider adding a comment. Otherwise, you may want to return early after showing the error:

♻️ Suggested change if modal should not open on failure

         const res = await API.get(`/api/channel/${record.id}/codex/usage`, {
           skipErrorHandler: true,
         });
         if (!res?.data?.success) {
           showError(res?.data?.message || t('Failed to fetch usage'));
+          return;
         }
         openCodexUsageModal({

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@relay/channel/openai/chat_via_responses.go`:
- Around line 29-32: The code currently calls io.ReadAll(resp.Body) in
chat_via_responses.go which removes the previous 10MB guard and risks OOM;
restore a bounded read by wrapping resp.Body with io.LimitReader (e.g., limit to
10*1024*1024) before reading and handle ErrUnexpectedEOF/size-truncate cases by
returning a suitable OpenAI error (use types.NewOpenAIError with
types.ErrorCodeReadResponseBodyFailed) from the same function so oversized
responses are rejected gracefully; ensure you still close resp.Body and update
any tests that expect the previous size behavior.

In `@web/src/hooks/channels/useChannelsData.jsx`:
- Around line 749-773: The modal is opened even when the codex usage API returns
success: false; update the block inside the record?.type === 57 branch (the
API.get call and its handling) so that after detecting !res?.data?.success you
log and showError and then return early (i.e., do not call openCodexUsageModal),
and likewise ensure the catch path also returns after showError; specifically
modify the logic around API.get and the openCodexUsageModal call to only invoke
openCodexUsageModal when res?.data?.success is truthy.

🧹 Nitpick comments (2)

relay/compatible_handler.go (1)

220-228: Consider removing redundant checks if helper is only used internally.

The helper has two checks that are redundant given the current call site:

1. info == nil — info is used extensively before this call (lines 31, 33, 47, etc.) and would panic if nil
2. info.RelayMode != RelayModeChatCompletions — already verified by the caller at line 79

If this helper is designed for reuse from other call sites where these preconditions aren't guaranteed, the defensive checks are appropriate. Otherwise, they add minor overhead and cognitive load.

♻️ Simplified version (if only called from TextHelper)

 func shouldChatCompletionsViaResponses(info *relaycommon.RelayInfo) bool {
-	if info == nil {
-		return false
-	}
-	if info.RelayMode != relayconstant.RelayModeChatCompletions {
-		return false
-	}
 	return service.ShouldChatCompletionsUseResponsesGlobal(info.ChannelId, info.OriginModelName)
 }

web/src/components/table/channels/modals/EditChannelModal.jsx (1)

1972-2057: Well-structured UI for Codex channel type.

The Codex (type 57) UI block is comprehensive:

• TextArea with clear JSON format placeholder and validation hints
• Context-appropriate action buttons (OAuth, refresh in edit mode, format, view key)
• Properly integrated CodexOAuthModal with correct event handlers

One minor simplification: Line 2044 includes {batchExtra}, but since batchAllowed excludes type 57, this will always be null. You could remove it from this block for clarity, though it's functionally harmless.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 957615a and f1024b4.

📒 Files selected for processing (6)

• relay/channel/openai/chat_via_responses.go
• relay/compatible_handler.go
• web/src/components/table/channels/modals/CodexOAuthModal.jsx
• web/src/components/table/channels/modals/CodexUsageModal.jsx
• web/src/components/table/channels/modals/EditChannelModal.jsx
• web/src/hooks/channels/useChannelsData.jsx

🚧 Files skipped from review as they are similar to previous changes (2)

• web/src/components/table/channels/modals/CodexUsageModal.jsx
• web/src/components/table/channels/modals/CodexOAuthModal.jsx

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-08-27T02:15:25.448Z

Learnt from: AAEE86
Repo: QuantumNous/new-api PR: 1658
File: web/src/components/table/channels/modals/EditChannelModal.jsx:555-569
Timestamp: 2025-08-27T02:15:25.448Z
Learning: In EditChannelModal.jsx, the applyModelMapping function transforms the models list by replacing original model names (mapping values) with display names (mapping keys). The database stores this transformed list containing mapped keys. On channel load, data.models contains these mapped display names, making the initialization filter if (data.models.includes(key)) correct.

Applied to files:

• web/src/components/table/channels/modals/EditChannelModal.jsx

📚 Learning: 2025-08-27T02:15:25.448Z

Learnt from: AAEE86
Repo: QuantumNous/new-api PR: 1658
File: web/src/components/table/channels/modals/EditChannelModal.jsx:555-569
Timestamp: 2025-08-27T02:15:25.448Z
Learning: In EditChannelModal.jsx, the database stores mapped keys (display names) in the models field after applying model mapping transformations. When loading a channel, data.models contains the mapped keys, not the original model names. The filtering logic if (data.models.includes(key)) in the initialization is correct.

Applied to files:

• web/src/components/table/channels/modals/EditChannelModal.jsx

🧬 Code graph analysis (3)

web/src/hooks/channels/useChannelsData.jsx (1)

web/src/components/table/channels/modals/CodexUsageModal.jsx (2)

• openCodexUsageModal (104-190)
• openCodexUsageModal (104-190)

web/src/components/table/channels/modals/EditChannelModal.jsx (2)

web/src/helpers/utils.jsx (4)

• showSuccess (157-159)
• showError (122-151)
• verifyJSON (273-280)
• verifyJSON (273-280)

web/src/components/table/channels/modals/CodexOAuthModal.jsx (1)

• CodexOAuthModal (27-149)

relay/compatible_handler.go (5)

setting/model_setting/global.go (1)

• GetGlobalSettings (57-59)

relay/constant/relay_mode.go (1)

• RelayModeChatCompletions (10-10)

relay/common/relay_info.go (1)

• RelayInfo (82-131)

service/openai_chat_responses_mode.go (1)

• ShouldChatCompletionsUseResponsesGlobal (12-14)

service/openaicompat/policy.go (1)

• ShouldChatCompletionsUseResponsesGlobal (12-18)

🔇 Additional comments (10)

relay/compatible_handler.go (2)

78-82: LGTM - good refactoring to cache global setting.

Caching passThroughGlobal avoids repeated calls to model_setting.GetGlobalSettings() and improves readability. The extracted helper centralizes the decision logic nicely.

---

102-102: LGTM - consistent use of cached value.

Using the cached passThroughGlobal ensures consistent behavior within the same request handling.

web/src/hooks/channels/useChannelsData.jsx (1)

39-39: LGTM!

Import for openCodexUsageModal is correctly added to support the new Codex usage modal functionality.

web/src/components/table/channels/modals/EditChannelModal.jsx (7)

59-59: LGTM!

Import for CodexOAuthModal is correctly added.

---

118-119: LGTM!

Type 57 (Codex) secret prompt correctly instructs users about the required JSON format with access_token and account_id.

---

218-220: LGTM!

State variables for Codex OAuth modal visibility and credential refresh loading state are properly defined.

---

508-519: LGTM!

When switching to Codex type (57), the code properly resets batch-related state and clears Vertex-specific file uploads, preventing incompatible configurations.

---

843-867: LGTM with a note.

Both handlers are well-implemented with proper loading states and error handling. The handleRefreshCodexCredential correctly guards against non-edit mode and handles errors gracefully.

Note: After a successful credential refresh, the form's key field is not updated with the new value. If this is intentional (server-side refresh only), consider adding a comment. If users expect to see the new credentials, consider fetching and displaying the updated key.

---

1117-1156: LGTM!

Comprehensive validation for Codex (type 57) channel submission:

• Correctly prevents batch creation
• Requires key for new channels
• Validates JSON structure and required fields (access_token, account_id)
• Re-serializes to normalize the JSON

The validation logic is thorough and provides clear error messages to guide users.

---

1489-1489: LGTM!

Batch creation is correctly disabled for Codex channels (type 57), consistent with the validation logic in the submit handler.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Removing the response body size limit introduces memory exhaustion risk.

The previous 10MB limit protected against memory exhaustion from malicious or misbehaving upstream servers. Without a cap, an unbounded response can cause OOM and service disruption.

Consider restoring a size limit using io.LimitReader:

🛡️ Suggested fix to restore size limit

-	body, err := io.ReadAll(resp.Body)
+	const maxResponseSize = 10 << 20 // 10 MB
+	body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseSize))
 	if err != nil {
 		return nil, types.NewOpenAIError(err, types.ErrorCodeReadResponseBodyFailed, http.StatusInternalServerError)
 	}
+	if len(body) >= maxResponseSize {
+		return nil, types.NewOpenAIError(fmt.Errorf("response body too large"), types.ErrorCodeBadResponseBody, http.StatusInternalServerError)
+	}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	body, err := io.ReadAll(resp.Body)
	if err != nil {
	return nil, types.NewOpenAIError(err, types.ErrorCodeReadResponseBodyFailed, http.StatusInternalServerError)
	}
	const maxResponseSize = 10 << 20 // 10 MB
	body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseSize))
	if err != nil {
	return nil, types.NewOpenAIError(err, types.ErrorCodeReadResponseBodyFailed, http.StatusInternalServerError)
	}
	if len(body) >= maxResponseSize {
	return nil, types.NewOpenAIError(fmt.Errorf("response body too large"), types.ErrorCodeBadResponseBody, http.StatusInternalServerError)
	}

🤖 Prompt for AI Agents

In `@relay/channel/openai/chat_via_responses.go` around lines 29 - 32, The code
currently calls io.ReadAll(resp.Body) in chat_via_responses.go which removes the
previous 10MB guard and risks OOM; restore a bounded read by wrapping resp.Body
with io.LimitReader (e.g., limit to 10*1024*1024) before reading and handle
ErrUnexpectedEOF/size-truncate cases by returning a suitable OpenAI error (use
types.NewOpenAIError with types.ErrorCodeReadResponseBodyFailed) from the same
function so oversized responses are rejected gracefully; ensure you still close
resp.Body and update any tests that expect the previous size behavior.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Modal opens even when API call fails.

When res?.data?.success is false (line 754), the code shows an error message but still proceeds to open the modal (line 758) with potentially incomplete or error data. This leads to confusing UX where the user sees both an error toast and a modal with bad data.

Consider returning early after showing the error to prevent opening the modal on failure:

🐛 Proposed fix

       if (record?.type === 57) {
         try {
           const res = await API.get(`/api/channel/${record.id}/codex/usage`, {
             skipErrorHandler: true,
           });
           if (!res?.data?.success) {
             console.error('Codex usage fetch failed:', res?.data?.message);
             showError(t('获取用量失败'));
+            return;
           }
           openCodexUsageModal({
             t,
             record,
             payload: res?.data,
             onCopy: async (text) => {
               const ok = await copy(text);
               if (ok) showSuccess(t('已复制'));
               else showError(t('复制失败'));
             },
           });
         } catch (error) {
           console.error('Codex usage fetch error:', error);
           showError(t('获取用量失败'));
         }
         return;
       }

🤖 Prompt for AI Agents

In `@web/src/hooks/channels/useChannelsData.jsx` around lines 749 - 773, The modal
is opened even when the codex usage API returns success: false; update the block
inside the record?.type === 57 branch (the API.get call and its handling) so
that after detecting !res?.data?.success you log and showError and then return
early (i.e., do not call openCodexUsageModal), and likewise ensure the catch
path also returns after showError; specifically modify the logic around API.get
and the openCodexUsageModal call to only invoke openCodexUsageModal when
res?.data?.success is truthy.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@service/codex_credential_refresh_task.go`:
- Around line 137-139: Remove the redundant guard around the debug log: delete
the surrounding if common.DebugEnabled conditional and always call
logger.LogDebug(ctx, "codex credential auto-refresh: scanned=%d refreshed=%d",
scanned, refreshed) because LogDebug already checks common.DebugEnabled; update
the block that currently wraps logger.LogDebug so only the direct
logger.LogDebug call remains (refer to logger.LogDebug and the variables scanned
and refreshed).

♻️ Duplicate comments (1)

service/codex_credential_refresh.go (1)

94-96: Direct DB update bypasses model-layer validations.

The raw model.DB.Model(...).Update(...) call bypasses Channel.Update(), which handles MultiKeySize recalculation for multi-key channels, status data cleanup, and UpdateAbilities(). Since ch is already loaded, consider using:

ch.Key = string(encoded)
if err := ch.Update(); err != nil {
    return nil, nil, err
}

This ensures consistency if Codex channels ever become multi-key or if other model-layer hooks are added.

🧹 Nitpick comments (2)

controller/channel.go (1)

632-661: Double timeout context nesting.

The controller creates a 10-second timeout (line 639), and RefreshCodexChannelCredential internally creates another 10-second timeout (line 62 in service/codex_credential_refresh.go). The inner timeout will be constrained by the outer one—if any overhead occurs before the inner timeout starts, the effective refresh window could be less than 10 seconds.

Consider removing the controller-level timeout and relying on the service's internal timeout, or passing the controller's context directly without an additional timeout.

♻️ Suggested simplification

 func RefreshCodexChannelCredential(c *gin.Context) {
 	channelId, err := strconv.Atoi(c.Param("id"))
 	if err != nil {
 		common.ApiError(c, fmt.Errorf("invalid channel id: %w", err))
 		return
 	}
 
-	ctx, cancel := context.WithTimeout(c.Request.Context(), 10*time.Second)
-	defer cancel()
-
-	oauthKey, ch, err := service.RefreshCodexChannelCredential(ctx, channelId, service.CodexCredentialRefreshOptions{ResetCaches: true})
+	oauthKey, ch, err := service.RefreshCodexChannelCredential(c.Request.Context(), channelId, service.CodexCredentialRefreshOptions{ResetCaches: true})
 	if err != nil {

service/codex_credential_refresh.go (1)

19-29: Consolidate duplicate OAuthKey structs across layers.

The codebase has identical struct definitions in two places: OAuthKey in relay/channel/codex/oauth_key.go (lines 9–19) and CodexOAuthKey in service/codex_credential_refresh.go (lines 19–29). Both define the same fields with identical JSON tags. Similarly, parsing logic is duplicated as ParseOAuthKey and parseCodexOAuthKey.

Consider importing and reusing OAuthKey from the relay layer instead of maintaining a parallel struct. This eliminates the maintenance burden of keeping two identical definitions in sync.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f1024b4 and 2aa47cf.

📒 Files selected for processing (4)

• controller/channel.go
• main.go
• service/codex_credential_refresh.go
• service/codex_credential_refresh_task.go

🧰 Additional context used

🧬 Code graph analysis (4)

main.go (1)

service/codex_credential_refresh_task.go (1)

• StartCodexCredentialAutoRefreshTask (31-49)

controller/channel.go (4)

constant/channel.go (1)

• ChannelTypeCodex (57-57)

common/json.go (1)

• Unmarshal (9-11)

service/codex_credential_refresh.go (2)

• RefreshCodexChannelCredential (42-104)
• CodexCredentialRefreshOptions (15-17)

common/gin.go (1)

• ApiError (141-146)

service/codex_credential_refresh.go (7)

common/json.go (2)

• Unmarshal (9-11)
• Marshal (21-23)

model/channel.go (1)

• Channel (21-58)

constant/channel.go (1)

• ChannelTypeCodex (57-57)

service/codex_oauth.go (3)

• RefreshCodexOAuthToken (40-43)
• ExtractCodexAccountIDFromJWT (226-252)
• ExtractEmailFromJWT (254-272)

model/main.go (1)

• DB (64-64)

model/channel_cache.go (1)

• InitChannelCache (21-86)

service/http_client.go (1)

• ResetProxyClientCache (71-80)

service/codex_credential_refresh_task.go (6)

common/constants.go (2)

• IsMasterNode (112-112)
• DebugEnabled (71-71)

model/channel.go (2)

• Channel (21-58)
• ChannelInfo (60-68)

model/main.go (1)

• DB (64-64)

constant/channel.go (1)

• ChannelTypeCodex (57-57)

service/codex_credential_refresh.go (2)

• RefreshCodexChannelCredential (42-104)
• CodexCredentialRefreshOptions (15-17)

service/http_client.go (1)

• ResetProxyClientCache (71-80)

🔇 Additional comments (9)

service/codex_credential_refresh.go (2)

31-40: LGTM!

The parsing function correctly validates input and provides clear error messages.

---

42-87: LGTM!

The credential refresh flow is well-structured with proper validation, timeout handling, and defensive JWT extraction for missing fields.

controller/channel.go (2)

4-10: LGTM!

The new imports are required by the RefreshCodexChannelCredential handler.

---

609-627: LGTM with minor observation.

The validation correctly enforces Codex key structure. Note that the fmt.Sprintf("%v", v) approach treats a numeric 0 the same as the string "0" which would pass the empty check—this should be fine since token/account values are typically non-empty strings.

service/codex_credential_refresh_task.go (4)

19-24: LGTM!

The constants are well-chosen: 10-minute intervals with a 24-hour expiry threshold provides ample margin for credential refresh without excessive overhead.

---

31-49: LGTM!

The task initialization correctly uses sync.Once for idempotency, respects master-node configuration, and follows the established pattern of using gopool.Go for managed goroutines.

---

64-123: LGTM!

The batch processing correctly:

• Filters for enabled Codex channels
• Skips multi-key channels (per design)
• Uses expiry threshold to avoid unnecessary refreshes
• Logs warnings on failures without aborting the batch

---

125-135: LGTM!

Efficient cache reset logic—only triggered when credentials were actually refreshed. The panic recovery for InitChannelCache mirrors the defensive pattern used in main.go.

main.go (1)

105-106: LGTM!

The Codex credential auto-refresh task is properly initialized during startup. The placement after AutomaticallyTestChannels is logical, and the comment accurately describes the task's behavior.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

rg -n 'func LogDebug' --type go -A 3

Repository: QuantumNous/new-api

Length of output: 286

---

Remove the redundant if common.DebugEnabled check.

LogDebug already checks common.DebugEnabled internally before formatting and logging. The guard at lines 137-138 is unnecessary and adds a redundant conditional.

Current code (lines 137-139)

	if common.DebugEnabled {
		logger.LogDebug(ctx, "codex credential auto-refresh: scanned=%d refreshed=%d", scanned, refreshed)
	}

Simplify to:

	logger.LogDebug(ctx, "codex credential auto-refresh: scanned=%d refreshed=%d", scanned, refreshed)

🤖 Prompt for AI Agents

In `@service/codex_credential_refresh_task.go` around lines 137 - 139, Remove the
redundant guard around the debug log: delete the surrounding if
common.DebugEnabled conditional and always call logger.LogDebug(ctx, "codex
credential auto-refresh: scanned=%d refreshed=%d", scanned, refreshed) because
LogDebug already checks common.DebugEnabled; update the block that currently
wraps logger.LogDebug so only the direct logger.LogDebug call remains (refer to
logger.LogDebug and the variables scanned and refreshed).

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@relay/channel/codex/adaptor.go`:
- Around line 55-95: The code in ConvertOpenAIResponsesRequest currently
swallows unmarshal errors for request.Instructions when
info.ChannelSetting.SystemPromptOverride is true and replaces the original
instructions with the system prompt; instead, preserve the original
request.Instructions on unmarshal failure and emit a warning (use the
gin.Context c or your existing logger) so the invalid/unparseable payload is
visible; only replace Instructions with the system prompt when unmarshaling
succeeds and indicates an empty string or when you explicitly decide to
fallback, and avoid silently discarding structured instruction payloads.

♻️ Duplicate comments (1)

relay/channel/codex/adaptor.go (1)

120-125: Error message inconsistent with actual endpoint path.

The error message states "only /v1/responses is supported" but the code uses /backend-api/codex/responses. This discrepancy was previously flagged.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2aa47cf and 6aa9c02.

📒 Files selected for processing (1)

• relay/channel/codex/adaptor.go

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-08T17:12:43.157Z

Learnt from: RedwindA
Repo: QuantumNous/new-api PR: 1537
File: relay/gemini_handler.go:330-342
Timestamp: 2025-08-08T17:12:43.157Z
Learning: In the new-api repository, the `GeminiEmbeddingHandler` function in `relay/gemini_handler.go` is designed specifically for native Gemini embedding requests and therefore does not require the `ConvertGeminiRequest` step that is used in the chat handler. The embedding requests are already in the native Gemini format and don't need conversion.

Applied to files:

• relay/channel/codex/adaptor.go

🔇 Additional comments (4)

relay/channel/codex/adaptor.go (4)

21-53: LGTM - Consistent unsupported endpoint handling.

The adaptor correctly returns explicit "endpoint not supported" errors for all non-Responses endpoints, which aligns with the Codex channel's limited scope.

---

97-110: LGTM - Clean delegation pattern.

Request and response handling correctly delegates to the shared infrastructure, with appropriate mode validation and streaming support.

---

127-151: LGTM - OAuth authentication setup.

The authentication logic properly parses the structured API key, validates required fields, and sets appropriate headers for the Codex backend.

---

153-158: No issues identified. The originator header is correctly set to "codex_cli_rs", which is the official identifier used by the Codex CLI itself for telemetry purposes. This is documented behavior, not impersonation, and is consistently used across the codebase. The implementation properly follows OpenAI's documented patterns for the Codex CLI.

Likely an incorrect or invalid review comment.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Silent discard of instructions on unmarshal failure.

When SystemPromptOverride is true and unmarshaling existing instructions fails (lines 82-88), the original request.Instructions are silently replaced with the system prompt. If the user provided instructions in a non-string format (e.g., the API could support structured instructions), this discards them without warning.

Consider logging a warning or returning an error when existing instructions cannot be parsed:

Suggested approach

 			}
 		} else {
-			if b, err := common.Marshal(systemPrompt); err == nil {
-				request.Instructions = b
-			} else {
-				return nil, err
-			}
+			// Log warning about unparseable instructions being replaced
+			common.SysLog("codex channel: could not parse existing instructions, replacing with system prompt")
+			if b, err := common.Marshal(systemPrompt); err == nil {
+				request.Instructions = b
+			} else {
+				return nil, err
+			}
 		}

🤖 Prompt for AI Agents

In `@relay/channel/codex/adaptor.go` around lines 55 - 95, The code in
ConvertOpenAIResponsesRequest currently swallows unmarshal errors for
request.Instructions when info.ChannelSetting.SystemPromptOverride is true and
replaces the original instructions with the system prompt; instead, preserve the
original request.Instructions on unmarshal failure and emit a warning (use the
gin.Context c or your existing logger) so the invalid/unparseable payload is
visible; only replace Instructions with the system prompt when unmarshaling
succeeds and indicates an empty string or when you explicitly decide to
fallback, and avoid silently discarding structured instruction payloads.